[unisog] New Virus?

Marc Jimenez mjimenez at net.tufts.edu
Wed Sep 10 19:57:25 GMT 2003


Hi Stephanie,
	We've been dealing with precisely this for several days now.
	It's called AGOBOT.AB by Trend.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.AB&VSect=T

	We got definitions from Trend yesterday late afternoon.

	-M




Marc Jimenez
Network Engineering
Tufts University


"Read all instructions before applying adhesive."
-Large Print on Lid of Bucket; words to live by.

"Diplomacy" is saying "nice doggy" until you can find a big rock.
-Heinlein

On Wed, 10 Sep 2003, Stephanie Hagopian wrote:

> Our campus has seen a unique virus that displays the same symptoms as
> two viruses already in existence (Gaobot.AA and Sdbot.N) but this one
> doesn't show up in the latest virus definitions. Evidence has already
> been submitted to Symantec from our office for forensics.
>
> Please let me know if anyone else has seen signs of this:
>
> SYMPTOMS:
>
> -heavy Netbios scanning, port 445 (mostly) but also 135 seen as well
> -could be confused with Welchia:
> The attackers may have used the same RPC vulnerability to infect the
> victims.
> - The victims connect to an IRC server and begin issuing DDOS commands
> using spoofed IPs.
> -exploits weak or absent Admin passwords/shares
> -floods network with spoofed IP packets (RFC1918 source IP addresses):
> The worm attempts to spread to non-existent IP addresses in the same
> subnet. This causes a lot of network disruption.
>
> On machine, look for:
>
> 1. C:\WINNT\System32 and delete
> -scvhost.exe (rather than normal svchost.exe)
> -winhlpp32.exe
>
> 2. Task Manager reveals scvhost.exe, stop process
>
> 3. Go to registery and look for the following keys:
> HKEY-LOCAL_MACHINE--SOFTWARE--MICROSOFT-WINDOWS-CURRENTVERSION--RUN
> HKEY-LOCAL_MACHINE--SOFTWARE--MICROSOFT-WINDOWS-CURRENTVERSION--RUNSERVICES
>
> Look for "ConfigLoader---scvhost.exe" and delete both keys
>
> 4. all machines I saw were running Win2K and also were infected with
> Welchia or had Welchia a few weeks ago and had the worm recently cleaned
> off--thus why I think this exploits the same vulnerability as Welchia.
>
> 5. NO ADMIN OR WEAK ADMIN PASSWORDS
>
> All the machines I've seen had the latest virus definitions and the
> latest hotfixes but were still found to have this.
>
>
> --
> Stephanie A. Hagopian
> IT Security Analyst
> University of North Carolina-Chapel Hill
> 105 Abernethy Hall
>
> https://www.unc.edu/security/staff/shagopia
>
>



More information about the unisog mailing list